Posted
by
CmdrTaco
on Wednesday March 30, 2011 @11:47AM
from the breach-the-breach dept.

Orome1 writes "The computer network of the European Parliament has been targeted by a cyber attack that may or may not be linked to the attack against the European Commission and the External Action Service networks that took place a week ago. According to the Parliament's spokesmen, the attack was still ongoing yesterday morning and information technology services have put in place some security measures — such as blocking access to webmail."

Webmail is one of the worst offenders in getting viruses. My brother works at a company that sells computer equipment and they had so many problems because their sales agents were clicking on all kinds of stupid shit in their personal email accounts.

I always blocked personal email unless it was expressly allowed, and even then I told the user one issue and its turned off.

I dont care if these are public officials. They want their public email, get it on their phones or somewhere else! I got shit to secure son!

So did my boss. Though in his defense he was expecting an email from UPS. Luckily MSSE caught it and neutralized it completely, as far as I can tell. I ran a DDS log which looked clean, and an F-Secure online scan came back with only tracking cookies.

But shouldn't Win7 and no admin rights go a long ways towards negating these types of malware?

I believe there are app config settings where you can alter the way programs are executed if you want to. You can also configure the user permissions to limit any potential damage. The biggest security risk in any OS is the user. Trying to lock down the entire OS can also cancel out some of the legitimate functionality.User vigilance and awareness is the best protection against getting a virus. The people creating the viruses and bots are really good at identifying OS weaknesses even when you are running an

Heres a hint, don't let the user be admins. Then they can't brake out of their account.....

and yes users are stupid. I had one guy who got a mail from USPS, about his Fedex tracking number on his expressmail delivery. He downloaded and opened and ran a zip file. When I asked him if he was expecting a delivery he said 'I dont know'.

That's not how it works. A politician is not your employer, the government is. A politician has no hire-and-fire control over staff outside of politics, even if they have that power at all (which I wouldn't think they do).Working in the public sector myself, though not politics, I have no problem telling my employer that they cannot have admin access to their local machine, and certainly not to the domain, unless they sign off that they accept that I am released from any and all responsibility under

A politician has no hire-and-fire control over staff outside of politics, even if they have that power at all (which I wouldn't think they do).

Oh no, of course not, he could never fire you. Of course, it would be a shame if the department's budget was cut to $10. Of course, the politician would probably want to run that by your boss and get his input on the matter, to make sure the right cuts were being made.

Heres a hint, don't let the user be admins. Then they can't brake out of their account.....

Except in cases of privilege escalation exploits, and there's plenty of snooping that can be done by a program running under a user's context. I'm pretty sure most large corporate networks have all their non-techy users locked down, but that doesn't mean people can't still hack in through a non-admin account.

Oh indeed exploits are always an issue. However, at least in the place I work, anyone who wants admin is give it, with the most flimsy of reasons to the most incompetent people. So I just sit and wait for the train wreck.

And the userland driveby downloads can sit in the background, schedule themselves to run on boot up/log in, regularly download new exploit attempts (just before patch tuesday), or act as bonnet members for ddoses, etc.

Deceleration doesn't affect computer security. That aside, users aren't stupid (in the main). They just aren't entirely sure what a computer will or won't do. The same as I'm not quite so sure I could do the job my system users perform (i.e. surgery, anaesthetics, haematology etc.). Part of my job is to make sure they're as safe as they can be in doing their job, while still allowing them to do it.There are so many infection vectors (compromised web sites, including the occasional high profile one, webm

I'd wonder why webmail access was available in the first place. Isn't there some requirement for auditability of their mail? I mean, they're public servants, isn't that like opening a backdoor for shady deals?

Aside of that, one of the FIRST things I recommend during a security audit is to disallow any mail traffic but auditable and company owned systems, on all levels. Usually it is trivial to get it done for the lower echelons, but the resistance at C-level is crippling. In other words, yes, we'll do it fo

I hope you document their response and have them sign off on it.
One of the biggest concerns is that their policies can be pushed back on you. As if it is your fault you told them and they didnt listen.
But yes, I also lock down port 25 for everyone except vital systems.

Of course, and of course they sign it off without a problem. Why not? It doesn't threaten their ability to get the certificate they're aiming for (yes, a security cert does NOT certify that you're secure, only that you have evaluated the risks, if you choose to ignore them, so be it), so why shouldn't they sign it off? It IS very funny sometimes, though, to read how they justify their "need" for webmail or access to certain pages (e.g. facebook) that MUST NOT be accessed by anyone else in the company for th

Even if this was true, the sysadmin, whether Windows or Linux, wouldn't have provided permission to just run something with write-access to root. I am sure it would have been more sophisticated than that.

I worked for a while for politicians. If you think your boss has an ego that needs its own office, you never worked for one. OF COURSE he, his secretary and his dog need admin privileges. How dare you expect to be allowed to do more on the computer than him?

I cant believe all the half ass comments here for a tech discussion. This is going on with a broader spectrum. Shame on/. and shame on this userbase. Amazing how some are unwilling to connect the dots, and submit good journalism / editorials.